Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
18-01-2021 07:25
Static task
static1
Behavioral task
behavioral1
Sample
_MVOCEANGLORY_Inquiry.xlsx
Resource
win7v20201028
Behavioral task
behavioral2
Sample
_MVOCEANGLORY_Inquiry.xlsx
Resource
win10v20201028
General
-
Target
_MVOCEANGLORY_Inquiry.xlsx
-
Size
1.7MB
-
MD5
92484ad004022b18f529dc8420117aee
-
SHA1
2b614a1f275f6fff2fa6ff2362e343a8f7af3b07
-
SHA256
8a59252c90714f9b4221ca33dfe39baa66254a69f7d074aae1994f58c55da736
-
SHA512
7703a2d1bc91178a45bad9a3fe4e4ac9fb14fb8b8f3e7fa2b448ac8e3b428000b29b220a85f567e53a1d0173e7cf1f658381b5be7ce19d47599d9fce54622d1b
Malware Config
Extracted
formbook
http://www.kaiyuansu.pro/incn/
1bovvfk93jd.com
enlightenedhealthcoaching.com
findthatsmartphone.com
intelligentsystemsus.com
xn--lmsealamientos-tnb.com
eot0luh5ia.men
babanewshop.com
beyond-bit.com
meritane.com
buythinsecret.com
c2ornot.com
twelvesband.com
rktlends.com
bourseandish.com
happyshop88.com
topangacanyonvintage.com
epersonalloansonline.com
roofers-anaheim.com
shanghaiys.net
bickel.wtf
macetitasdecorativas.com
maisonscoeurdepivoine.com
milano1980.com
thetealworld.com
khocam.com
electrofranco.com
biduoccotruyen.xyz
marcagrafika.com
goodgrabber.com
sentire.design
180wea.com
pnwfireextinguishers.com
paulborneo.com
potlucks.net
sdyqxx.com
pjy589.com
lovetovisit.info
vaultedslabs.com
mirrorimpact.net
americanmarketedge.com
therandstadride.com
yamadaya-online.com
stardust-cafe.com
sk375.com
abipisan.com
thesalesforceradi.computer
ronaldmorrisdc.com
thetreasurebook.com
personalruncoach.com
quba6.com
uoawrlhwg.icu
cathygass.com
tribesy.net
nishagile.com
aworldthroughhereyes.com
adeptroofmaintenance.com
jacketgraffiti.com
deeprigelphoto.com
qth.xyz
pontacols.com
sunflour-bakehouse.com
forevermesmerizedcomplexion.com
maglex.info
somright.com
Signatures
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1580-20-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1580-21-0x000000000041D060-mapping.dmp xloader behavioral1/memory/1116-31-0x00000000000F0000-0x0000000000119000-memory.dmp xloader -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 7 752 EQNEDT32.EXE -
Executes dropped EXE 2 IoCs
Processes:
vbc.exevbc.exepid process 476 vbc.exe 1580 vbc.exe -
Loads dropped DLL 4 IoCs
Processes:
EQNEDT32.EXEpid process 752 EQNEDT32.EXE 752 EQNEDT32.EXE 752 EQNEDT32.EXE 752 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
vbc.exevbc.execmstp.exedescription pid process target process PID 476 set thread context of 1580 476 vbc.exe vbc.exe PID 1580 set thread context of 1268 1580 vbc.exe Explorer.EXE PID 1116 set thread context of 1268 1116 cmstp.exe Explorer.EXE -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 2044 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
vbc.execmstp.exepid process 1580 vbc.exe 1580 vbc.exe 1116 cmstp.exe 1116 cmstp.exe 1116 cmstp.exe 1116 cmstp.exe 1116 cmstp.exe 1116 cmstp.exe 1116 cmstp.exe 1116 cmstp.exe 1116 cmstp.exe 1116 cmstp.exe 1116 cmstp.exe 1116 cmstp.exe 1116 cmstp.exe 1116 cmstp.exe 1116 cmstp.exe 1116 cmstp.exe 1116 cmstp.exe 1116 cmstp.exe 1116 cmstp.exe 1116 cmstp.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
vbc.execmstp.exepid process 1580 vbc.exe 1580 vbc.exe 1580 vbc.exe 1116 cmstp.exe 1116 cmstp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
vbc.execmstp.exedescription pid process Token: SeDebugPrivilege 1580 vbc.exe Token: SeDebugPrivilege 1116 cmstp.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1268 Explorer.EXE 1268 Explorer.EXE 1268 Explorer.EXE 1268 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1268 Explorer.EXE 1268 Explorer.EXE 1268 Explorer.EXE 1268 Explorer.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 2044 EXCEL.EXE 2044 EXCEL.EXE 2044 EXCEL.EXE -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
EQNEDT32.EXEvbc.exeExplorer.EXEcmstp.exedescription pid process target process PID 752 wrote to memory of 476 752 EQNEDT32.EXE vbc.exe PID 752 wrote to memory of 476 752 EQNEDT32.EXE vbc.exe PID 752 wrote to memory of 476 752 EQNEDT32.EXE vbc.exe PID 752 wrote to memory of 476 752 EQNEDT32.EXE vbc.exe PID 476 wrote to memory of 1580 476 vbc.exe vbc.exe PID 476 wrote to memory of 1580 476 vbc.exe vbc.exe PID 476 wrote to memory of 1580 476 vbc.exe vbc.exe PID 476 wrote to memory of 1580 476 vbc.exe vbc.exe PID 476 wrote to memory of 1580 476 vbc.exe vbc.exe PID 476 wrote to memory of 1580 476 vbc.exe vbc.exe PID 476 wrote to memory of 1580 476 vbc.exe vbc.exe PID 1268 wrote to memory of 1116 1268 Explorer.EXE cmstp.exe PID 1268 wrote to memory of 1116 1268 Explorer.EXE cmstp.exe PID 1268 wrote to memory of 1116 1268 Explorer.EXE cmstp.exe PID 1268 wrote to memory of 1116 1268 Explorer.EXE cmstp.exe PID 1268 wrote to memory of 1116 1268 Explorer.EXE cmstp.exe PID 1268 wrote to memory of 1116 1268 Explorer.EXE cmstp.exe PID 1268 wrote to memory of 1116 1268 Explorer.EXE cmstp.exe PID 1116 wrote to memory of 2000 1116 cmstp.exe cmd.exe PID 1116 wrote to memory of 2000 1116 cmstp.exe cmd.exe PID 1116 wrote to memory of 2000 1116 cmstp.exe cmd.exe PID 1116 wrote to memory of 2000 1116 cmstp.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\_MVOCEANGLORY_Inquiry.xlsx2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\cmstp.exe"C:\Windows\SysWOW64\cmstp.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Public\vbc.exe"3⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"{path}"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\vbc.exeMD5
1c68b56f273eab047eccce3cbad492a5
SHA176598e8315496d2bfcaa35edd12f521483ff5c31
SHA2566961aeab02e7dafda1e2f16e9ec88fd5dce6199925a71f22657a2c48627ae087
SHA5127f24e6f61a86314e91275d4492b74659ca34f036fb32c20eccaebd68410a228dae3d1bca2f6faa74933692b50a19aca693b3c5ca803c3717175e19b58d1ba6e6
-
C:\Users\Public\vbc.exeMD5
1c68b56f273eab047eccce3cbad492a5
SHA176598e8315496d2bfcaa35edd12f521483ff5c31
SHA2566961aeab02e7dafda1e2f16e9ec88fd5dce6199925a71f22657a2c48627ae087
SHA5127f24e6f61a86314e91275d4492b74659ca34f036fb32c20eccaebd68410a228dae3d1bca2f6faa74933692b50a19aca693b3c5ca803c3717175e19b58d1ba6e6
-
C:\Users\Public\vbc.exeMD5
1c68b56f273eab047eccce3cbad492a5
SHA176598e8315496d2bfcaa35edd12f521483ff5c31
SHA2566961aeab02e7dafda1e2f16e9ec88fd5dce6199925a71f22657a2c48627ae087
SHA5127f24e6f61a86314e91275d4492b74659ca34f036fb32c20eccaebd68410a228dae3d1bca2f6faa74933692b50a19aca693b3c5ca803c3717175e19b58d1ba6e6
-
\Users\Public\vbc.exeMD5
1c68b56f273eab047eccce3cbad492a5
SHA176598e8315496d2bfcaa35edd12f521483ff5c31
SHA2566961aeab02e7dafda1e2f16e9ec88fd5dce6199925a71f22657a2c48627ae087
SHA5127f24e6f61a86314e91275d4492b74659ca34f036fb32c20eccaebd68410a228dae3d1bca2f6faa74933692b50a19aca693b3c5ca803c3717175e19b58d1ba6e6
-
\Users\Public\vbc.exeMD5
1c68b56f273eab047eccce3cbad492a5
SHA176598e8315496d2bfcaa35edd12f521483ff5c31
SHA2566961aeab02e7dafda1e2f16e9ec88fd5dce6199925a71f22657a2c48627ae087
SHA5127f24e6f61a86314e91275d4492b74659ca34f036fb32c20eccaebd68410a228dae3d1bca2f6faa74933692b50a19aca693b3c5ca803c3717175e19b58d1ba6e6
-
\Users\Public\vbc.exeMD5
1c68b56f273eab047eccce3cbad492a5
SHA176598e8315496d2bfcaa35edd12f521483ff5c31
SHA2566961aeab02e7dafda1e2f16e9ec88fd5dce6199925a71f22657a2c48627ae087
SHA5127f24e6f61a86314e91275d4492b74659ca34f036fb32c20eccaebd68410a228dae3d1bca2f6faa74933692b50a19aca693b3c5ca803c3717175e19b58d1ba6e6
-
\Users\Public\vbc.exeMD5
1c68b56f273eab047eccce3cbad492a5
SHA176598e8315496d2bfcaa35edd12f521483ff5c31
SHA2566961aeab02e7dafda1e2f16e9ec88fd5dce6199925a71f22657a2c48627ae087
SHA5127f24e6f61a86314e91275d4492b74659ca34f036fb32c20eccaebd68410a228dae3d1bca2f6faa74933692b50a19aca693b3c5ca803c3717175e19b58d1ba6e6
-
memory/476-17-0x0000000000CE0000-0x0000000000CE1000-memory.dmpFilesize
4KB
-
memory/476-18-0x00000000008F0000-0x00000000008FE000-memory.dmpFilesize
56KB
-
memory/476-11-0x0000000000000000-mapping.dmp
-
memory/476-19-0x0000000004F10000-0x0000000004F65000-memory.dmpFilesize
340KB
-
memory/476-14-0x000000006C7D0000-0x000000006CEBE000-memory.dmpFilesize
6.9MB
-
memory/476-15-0x00000000010B0000-0x00000000010B1000-memory.dmpFilesize
4KB
-
memory/752-5-0x0000000075251000-0x0000000075253000-memory.dmpFilesize
8KB
-
memory/1116-27-0x0000000000000000-mapping.dmp
-
memory/1116-33-0x0000000001EC0000-0x0000000001F50000-memory.dmpFilesize
576KB
-
memory/1116-30-0x00000000005E0000-0x00000000005F8000-memory.dmpFilesize
96KB
-
memory/1116-32-0x0000000001FF0000-0x00000000022F3000-memory.dmpFilesize
3.0MB
-
memory/1116-31-0x00000000000F0000-0x0000000000119000-memory.dmpFilesize
164KB
-
memory/1268-26-0x00000000074E0000-0x0000000007674000-memory.dmpFilesize
1.6MB
-
memory/1268-34-0x0000000004A10000-0x0000000004ACA000-memory.dmpFilesize
744KB
-
memory/1580-25-0x00000000002F0000-0x0000000000301000-memory.dmpFilesize
68KB
-
memory/1580-24-0x0000000000820000-0x0000000000B23000-memory.dmpFilesize
3.0MB
-
memory/1580-21-0x000000000041D060-mapping.dmp
-
memory/1580-20-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2000-29-0x0000000000000000-mapping.dmp
-
memory/2016-6-0x000007FEF6510000-0x000007FEF678A000-memory.dmpFilesize
2.5MB
-
memory/2044-2-0x000000002F1D1000-0x000000002F1D4000-memory.dmpFilesize
12KB
-
memory/2044-3-0x0000000071671000-0x0000000071673000-memory.dmpFilesize
8KB
-
memory/2044-4-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB